AWS: How To Setup A Site-to-Site VPN (Start to Finish) 2024

00:00

hello everyone my name is techno and

00:02

today we're going to create a sight to

00:04

sight VPN and this is a speedrun Edition

00:07

so if you're looking for an explanation

00:08

I already do have a video about that

00:10

where I go in depth of why I create

00:13

certain things and how it's done on the

00:14

AWS side but in this video today I'm

00:17

going to show you exactly how to create

00:18

a sight to sight VPN and I'll just go

00:21

through everything really quickly so

00:22

that way you'll be able to see me

00:24

testing from 2 AWS ec2 instances but

00:27

this is all done on the cloud and not on

00:30

Prem because I don't have on- pram

00:31

device so with that being said let's go

00:33

ahead and begin right off the bat I

00:35

already have two vpcs that I already

00:36

created and I've already created two ec2

00:39

instances over here on VPC 2 or on the

00:44

19216801 16 Network this can be

00:46

considered your on Prem device so

00:49

because bpc2 is going to be acting as

00:51

your on Prem device you want to make

00:53

sure that one ec2 is considered as your

00:56

router or your firewall that connects to

00:59

ads yes because in the real world

01:01

situation when you have a sight to side

01:03

VPN you're going to have a router which

01:06

has a public IP address that will be

01:08

able to connect with AWS so I'll go

01:10

ahead and show you exactly what I'm

01:12

doing right now on what should already

01:14

be configured so as you can see I

01:15

already have vpc1 and VPC 2 so I'll just

01:19

rename this for Simplicity so VPC 2-on

01:22

Prem so that way we don't get confused

01:25

between vpc1 and VPC 2 um likewise for

01:28

vpc1 I'm just going to call this vpc1 D

01:31

AWS so that way we know this is the AWS

01:35

site and then bpc2 is your on-prem site

01:38

of course if you do have an on-prem site

01:40

you don't need to create VPC number two

01:43

now the next step is to go to your ec2

01:46

instance and create all the ec2

01:49

instances that you'll want to establish

01:51

connection or connectivity with each

01:53

other now keep in mind that these two

01:56

ec2 instances ec21 and ec2 have already

02:00

been created so I'm not going to go

02:01

through the steps on creating ec2s and

02:04

whatnot if you haven't already just go

02:05

ahead and check out my other video for

02:07

an in-depth explanation as I said so I'm

02:10

just going to go ahead and launch these

02:13

instances or bring them up so I'm going

02:15

to click on start instances and the only

02:17

thing that I be creating now is your

02:20

router or your firewall which is in this

02:22

case a strong Swan ec2 instance we can

02:25

go ahead and call this strong

02:27

Swan scroll down and go to Amazon Amazon

02:30

Linux 2 because Amazon Linux 3 does not

02:32

support strong SW anymore remember that

02:35

this is just for demo purposes I don't

02:37

have a Cisco ASA nor do I have like a

02:39

Pao Alto router for testing purposes so

02:42

this is why we're going with strong Swan

02:43

since it's free so we can go ahead and

02:45

click on key pair I already have a key

02:47

pair already if you don't go ahead and

02:49

create one right over here was this

02:51

create new pair network settings we're

02:53

going to go on VPC number two which is

02:55

your on Prem IP address or on Prem

02:58

site subnet should be in a public subnet

03:01

so we can SSH into it as far as Security

03:04

Group I already have one in place that

03:06

allows SSH as well as

03:08

icmp and one more thing is whenever you

03:11

create this ec2 instance make sure that

03:14

it has a public IP

03:17

address so over here where it says Auto

03:20

assign public IP click on enable and

03:23

you're good to go and launch this ec2 so

03:25

going back to my diagram you should

03:27

already have three ec2 instances created

03:29

one on your AWS AWS VPC and two of them

03:34

on your om Prem VPC we're going to go on

03:36

the left hand side where this customer

03:38

Gateway and create a customer Gateway

03:41

this customer Gateway is so that ad ofs

03:43

knows what the IP address is for your on

03:45

Prem site so if we go back to this

03:49

strong Swan ec2 instance that we created

03:52

you'll notice that the public IP address

03:54

is this

03:55

100410 19 IP address so we go back to

03:58

the customer Gateway tab

04:00

type in strong Swan or any kind of

04:02

nameing convention so that way you know

04:04

that this is your on Prem router and

04:06

then paste the IP address and we can

04:09

ignore the certificate Arn and

04:11

everything else and create this customer

04:13

Gateway same thing on the left hand side

04:14

go down to Virtual private Gateway click

04:16

on that create a virtual private Gateway

04:20

and call this

04:22

vpg or anything you'd like to call it so

04:24

on the top right corner of your screen

04:26

you can click on attach to

04:28

VPC and we want to attach it to your VPC

04:32

D1 AWS because in a real world scenario

04:35

your virtual private Gateway can only

04:37

connect to one VPC in this case we want

04:40

the AWS VPC to be connected which is VPC

04:43

number one so once that's attaching the

04:45

last thing that we can do is create

04:47

sight to sight VPN so on the left hand

04:49

side again right below virtual private

04:51

Gateway click on sight to sight VPN

04:52

connection go to the top right and

04:54

create your VPN connection call this

04:57

site to site

05:01

dvpn or anything you'd like to call it

05:03

click on your virtual private Gateway

05:05

that was created customer Gateway same

05:07

thing the one that we just created in

05:10

this demonstration I'll show you how to

05:11

create a static side to side VPN and sub

05:13

Dynamic static prefix we we're going to

05:15

just leave it as is for now the local

05:18

and remote cider so the local cider

05:20

would be from your on-prem device and if

05:22

we look back at this diagram it should

05:24

be the 192168 IP address range so on

05:28

this local CER you can go and type in

05:31

192.168.0.0 sl16 you could also leave

05:35

Squad zeros but if we want to imagine as

05:38

if this was a real world situation it's

05:40

more ideal to have your on Prime IP

05:42

address range in this diagram it's the

05:45

10.0.0.0 sl16

05:51

network okay tunnel one and tunnel 2

05:54

options I'm just going to go ahead and

05:56

leave it as default I'm not going to

05:58

make any changes to it lastly just click

06:00

on create VPN

06:03

connection so we're almost there we

06:05

created a sight toight VPN we already

06:07

know that it's attaching to the VPC

06:11

which is VPC number one or the AWS

06:14

VPC and over here we can see that this

06:17

strong swan ec2 has been

06:20

created now keep in mind that when you

06:23

click on the strong Swan ec2 you should

06:26

go onto action networking change source

06:29

in destination check and click on the

06:31

check box for stop the reason why we

06:34

want it to stop is so that if traffic is

06:37

heading towards any ec2 instance that's

06:39

not the strong Spa device packets will

06:41

not automatically get dropped and it

06:43

will just forward it to the next

06:44

destination the next step is to connect

06:46

to the strong SW ec2 instance click on

06:50

connect and if you see this bird icon

06:52

that means you successfully connected to

06:54

your ec2 keep in mind that you need to

06:56

allow SSH onto your security group and

06:59

make sure that your network ACL is quad

07:01

zeros for both inbound and outbound

07:03

rules so now that we can confirm and

07:05

connect to this ec2 instance or the

07:08

strong Swan ec2 instance which is

07:10

pretending to be your on Prem customer

07:12

Gateway device the last thing that we

07:14

need to do is configure this ec2 so that

07:16

way it's configured to use strong spawn

07:19

and we can go ahead and establish that

07:20

side to side bpn connection so go back

07:23

to your side to set VPN click on

07:25

download configuration scroll down here

07:29

this is future Brandon I just want to

07:31

give a heads up that you should be using

07:33

open Swan instead of strong Swan now

07:35

that we've logged into our ec2 instance

07:37

we're going to go ahead and start

07:37

configuring according to this file so

07:39

we're going to go ahead and click on

07:41

pseudo or type in pseudo Su go to system

07:46

CTL com so pseudo Nano paste and then

07:51

hit enter copy all these three lines I

07:53

know that down here already has it but

07:56

go ahead and just delete it for safety

07:58

measures and then paste everything

07:59

everything as needed contrl x y and

08:02

enter and then it says to apply changes

08:04

by typing in system

08:07

c-p and after step one I did forget to

08:10

do one important step which was to

08:12

install op one so we can go ahead and

08:14

type in pseudo yum install open

08:22

Swan hit y for

08:28

yes

08:30

okay now that we're done we can go ahead

08:32

and start following step two or step

08:34

three now so open up this IP sec.com

08:37

contrl C pseudo

08:42

Nano paste after opening up this file we

08:45

can go ahead and copy this line over

08:48

here paste it and then we're going to

08:50

remove this hashtag or pound sign crl X

08:56

Y enter now we have to create a new file

08:59

file aws.com so contrl C pseudo Nano

09:03

same thing again paste enter and then

09:07

we're going to go ahead and type in the

09:09

following values so after we open up

09:11

this file one thing that you should

09:13

modify on the notepad is to go over here

09:15

where it says left subnet which is your

09:17

local network local meaning your on Prem

09:20

IP which is the

09:22

192.168.0.0 sl6

09:25

IP and right below that is your AWS IP

09:28

address which in this case is 10.0.0

09:32

sl16 so then go ahead and copy

09:35

everything else control

09:38

C paste it in

09:40

here and then crl X Y enter lastly on

09:45

step five we have to create a new file

09:47

pseudo Nano paste and enter copy this

09:51

line once you paste it click on CR X Y

09:55

enter one thing that I did forget to

09:57

mention is that over here where it thiss

09:58

AU equals ESP go ahead and remove that

10:01

and then save everything crl x y for yes

10:04

and enter okay so now that this is

10:06

established for tunnel one if you want

10:08

to do the same on Tunnel 2 you're more

10:09

than welcome to do so just do the same

10:11

exact thing for tunnel one except do it

10:13

for tunnel 2 lastly we need to go ahead

10:15

and start our SAT toite VPN by typing in

10:18

pseudo system CTL start IP SEC okay so

10:23

this is our first error that we've

10:24

encountered where it says fail to start

10:26

internet key exchange protocol so I'm

10:29

going to go ahead and recheck every

10:30

single step that I made because I

10:32

probably did make a typo of some sort I

10:34

might have not noticed it we're going to

10:35

go from step five all the way down to

10:36

step uh step one and see what happened

10:39

or what's the issue not sure if these uh

10:41

these spaces make a difference but I'm

10:42

just going to go ahead and contrl

10:44

X enter and then lastly step two says

10:48

system

10:50

c-p now I'm going to go ahead and start

10:52

the IP SEC

10:54

again and that did the trick I don't

10:57

know if it's because I forgot to put in

10:58

the the system c-p but I just went

11:01

through step five and went backwards to

11:03

make sure I didn't make any typos and

11:04

repasted everything so now if I go ahead

11:07

and type in

11:08

pseudo system CTL status IP SEC it

11:14

should now say active and running if we

11:16

go ahead and go to the S to set VPN and

11:18

refresh the

11:20

page it now says available available

11:22

just means that the side to side VPN is

11:24

created it's not modifying it's not

11:26

getting deleted that's not the main

11:28

focus the main focus is on Tunnel one so

11:31

I'm going to go ahead and minimize this

11:33

tab click on the side to side VPN tunnel

11:35

details right now it shows us down but

11:39

I'm pretty sure if we wait for a little

11:41

bit it's going to go into the upstate so

11:44

if you notice over here we go to ec2

11:46

number one networking go to the subnet

11:48

ID route table click on this route table

11:51

open up this route table go to routes

11:53

edit routes so rather than forwarding

11:56

traffic to the VPC Pier because this was

11:58

done in my previous video instead of

12:00

Performing VPC peering this is now going

12:03

to be done through a virtual private

12:04

Gateway in this case click on Virtual

12:07

private Gateway and over here this is

12:09

the virtual private Gateway that we

12:11

created at the beginning of this video

12:13

and then click on Save changes so right

12:15

now we just created a static route that

12:18

forwards or forces traffic from your AWS

12:22

VPC number one to forward traffic over

12:24

to VPC number two or your arm Prem site

12:27

let's go ahead and double check our set

12:28

to set VPN and check on Tunnel one to

12:30

see if it actually came

12:33

up so over here if we refresh the page

12:36

one more time click on side to side VPN

12:39

tunnel details look at that it says

12:42

tunnel one is up so now that we created

12:44

the site to sight VPN the last thing

12:46

that we're doing is sending traffic so

12:49

for Simplicity Reasons I'm just sending

12:50

icmp traffic so earlier we already know

12:53

that ec2 instance number one should now

12:55

know how to forward traffic over to the

12:57

S to side VPN but on the return traffic

13:00

we need to make sure that the ec2

13:01

instances know how to forward traffic

13:04

from a specific ec2 instance out to the

13:07

sight to sight VPN because in a because

13:09

on your arm Prem side of course you're

13:11

going to send traffic to your firewall

13:13

if we go ahead and go to ec2 instance

13:15

number two go to networking click on the

13:18

subnet ID and then go onto the route

13:20

table edit this route table click on

13:23

routes so right now we have a VPC Pier

13:25

but I don't want that VPC Pier to be

13:27

there because that would defeat the

13:29

whole purpose of a set to set VPN so

13:31

we're going to go ahead and eliminate

13:32

this and put in instance so after you

13:35

copy the open Swan ec2 instance you can

13:39

go ahead and click over here and make

13:43

sure that this says well right now it

13:46

says strong Swan on the the name we are

13:48

going to go ahead and go on to ec2

13:49

instance number two Security Group look

13:51

at the Ingress Rule and allow icmp

13:54

because in my previous video I removed

13:56

it but I forgot to add it back in so

13:58

click on all icmp ipv4 from anywhere of

14:02

course you don't want it from anywhere

14:03

you want this specifically from your arm

14:06

pram or AWS IP address

14:08

range but for demo purposes of course

14:11

I'm just going to go ahead and put it as

14:13

quad zeros let's go ahead and recap and

14:15

discuss what we've done so far so as of

14:17

right now we have three ec2 instance

14:19

that were created we have ec2 instance

14:21

number one number two and this one

14:23

called op Swan VPC we already know that

14:27

a s to side VPN was created we

14:28

configured open Swan to establish that

14:32

sight toight VPN connection with the AWS

14:35

VPC number one so all we're doing now is

14:38

making sure that the route tables on VPC

14:40

number one is forwarding to a virtual

14:42

private Gateway and on VPC number two

14:45

we're forwarding traffic to the ec2

14:47

instance the open Swan ec2 instance so

14:50

this means that anytime traffic should

14:52

be going out to the set to set VPN

14:55

traffic should be going to the open Swan

14:57

ec2 and by by creating bpc2 we've been

15:00

able to create or replicate a arm Prem

15:03

so now the last step is to send icmp

15:06

packets keep in mind that your Security

15:08

Group should already be allowing for

15:10

Ingress and egress for icmp so if you

15:13

don't have it already go ahead and do

15:15

that now so to make sure that we are now

15:17

establishing this icmp test we're going

15:19

to go on to ec2 instance number

15:21

one this is your AWS ec2 by the way so

15:25

pretend as if you want to connect from

15:26

AWS to your on Prem we're going to go go

15:28

ahead and copy the ec2 instance private

15:31

IP address and this is in your on Prem

15:33

site by the way so the 192168 network

15:36

ping and now you'll notice that traffic

15:38

is now forwarding quick pause this is a

15:41

ping test from the ec2 instance number

15:42

two to the op one ec2 instance okay so

15:45

for the last step over here if you click

15:47

on static route this is a side to side

15:49

VPN where it's using static routing so

15:51

you want to make sure that you click on

15:53

static routes and you put in the on Prem

15:57

or the VPC number two to IP address

15:59

range and place it over here and then

16:02

click on Save

16:03

changes so once you go ahead and do that

16:05

I'm just going to go ahead and start

16:07

pinging the on Prem

16:09

device so copy this IP address paste

16:14

it and hit enter and it looks like we

16:18

can ping ec2 number two or the on-prem

16:21

site and same thing again we're just

16:23

going to go ahead and ping from the on

16:25

Prem site over to the ec2 instance

16:27

number one

16:31

so once we go ahead and paste

16:33

that we can

16:36

confirm we can go ahead and

16:38

confirm that the icmp Ping is

16:43

working and that is how you create your

16:46

sight to sight VPN speedrun Edition I

16:48

hope this information was helpful to you

16:50

because I know that in my previous video

16:52

I didn't really show my final test

16:53

results basically at the very end just

16:56

like what you saw at the static route I

16:57

just forgot got to add in that static

16:59

route and I didn't show it because I

17:01

deleted my ec2 instances at the time I

17:04

created that video but now that I've go

17:06

gone ahead and done the same exact thing

17:08

on this video you should now be able to

17:10

create that side to side VPN as well as

17:13

understand how to Ping from AWS to AWS

17:16

even if you don't have an on Prem site

17:18

to actually use I hope my video was

17:20

helpful to you if you found it helpful

17:22

like subscribe and comment on my video

17:24

and I'll see you in my next one

17:27

bye